The Security Detail

Experian Data Breach Resolution and the Ponemon Institute today released a new study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident. The report, Is Your Company Ready for a Big Data Breach?, examines the consequences of data breach incidents and the steps taken to lessen future damage. Respondents include senior privacy and compliance professionals of organizations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.

“A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions.”

Key findings include:

Companies experience and anticipate harm due to breaches

Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.

Seventy-six percent of privacy professionals say their organization already had or expects to have a material data breach that results in the loss of customers and business partners.

Similarly, 75 percent say they have had or expect to have such an incident that results in negative public opinion and media coverage.

Sixty-six percent of companies have or believe they will suffer serious financial consequences as a result of an incident.

Despite experiencing a breach, not all companies prepare for a future breach.

Thirty-nine percent of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.

Only 10 percent of organizations have data breach or cyber insurance.

A majority of organizations surveyed don’t provide clear communication and notification to victims following an incident.

In fact, only 21 percent of respondents have communications teams trained to assist in responding to victims.

Additionally, only 30 percent of respondents say their organizations train customer service personnel on how to respond to questions about the data breach incident.

The vast majority (65 percent) also lack mechanisms to verify that contact with each victim was completed, and only 38 percent have mechanisms for working with victims with special circumstances.

The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.

Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.

Forensics is lacking: Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.

Only 36 percent have the tools or technologies to assess the size and impact of a data breach.

Nineteen percent have advanced forensics to determine the nature and root causes of cyberattacks.

Only 25 percent have the ability to ensure the root cause of the data breach was fully contained.

“The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach.”

A survey conducted recently by Lieberman Software Corporation revealed that more than 70% of IT security professionals would not be willing to bet $100 of their own money that their companies will not suffer a data breach in the next six months.

The survey, which was carried out in February at RSA Conference 2013, measured the attitudes of nearly 250 IT security professionals and the way their organizations manage cyber security. Nearly 50% of respondents work in organizations with more than 1,000 people.

The study also revealed that a third of organizations do not have a policy making it compulsory to change default passwords when deploying new hardware, applications and network appliances to the corporate network.

More Than 70% of IT Security Professionals Believe Their Organizations Will Suffer a Data Breach in Next Six Months According to Lieberman Software Survey

Commenting on the research, Philip Lieberman, President and CEO of Lieberman Software, said: “These figures highlight the fact that IT security professionals realize that most organizations are woefully unprotected against cyber attacks. While vendors of conventional security products — like firewalls and anti-virus — are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them. The reality is that 100% protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore.

“For example, this survey revealed the unfortunate fact that so many IT groups are still not changing default passwords when deploying new systems. This should be a standard practice. Default privileged passwords are, in a sense, hidden backdoors onto systems that are deployed on a network. Most default passwords are publicly known and easily found online, meaning anyone with malicious intent can use these default credentials to gain anonymous access to systems and applications throughout the enterprise.

“IT departments that do not have a solution in place to automatically detect, flag and change default privileged passwords on newly deployed systems are neglecting a very common security hole.”

Is your software up to date? Do you have automatic updates enabled in Windows, and for any other applications that offer it?

I hope so. Keeping your software up to date is the most crucial element of maintaining a secure PC. Granted, there’s no such thing as “bullet proof”, and attackers will always find new ‘zero day’ flaws to exploit. But, those aren’t the vulnerabilities yielding massive numbers of compromised systems. The malware attacks that generally spread the farthest and do the most damage tend to target flaws that are already known, and that patches have already been developed for.

The truth of the matter is that the fact a patch exists makes it more likely that the underlying flaw will be attacked. Many vulnerabilities are discovered by security researchers or hackers with ethical standards, and are reported to the vendor to be dealt with before attackers even know they exist. Once the patch comes out, though, attackers can reverse-engineer it to discover what the flaw is, then develop an exploit to go after it. If you don’t apply the patches as they come out, you’re exposing yourself to increased risk.

Collecting data from 11 million users, Kaspersky put together an extensive report on the state of vulnerabilities. Kaspersky found that the average user has 12 unpatched vulnerabilities, and that Java, Adobe Reader, and Adobe Flash are the primary culprits. Check out the full report from Kaspersky, and make sure you keep your software up to date.

Consider a jigsaw puzzle. Assume you don’t have the box with the picture of the completed puzzle on it–just a pile of pieces. You don’t know what the end result is supposed to look like, but you can at least start with the straight edges, match like colors and images, and eventually put the puzzle together to reveal the full image.

Now think about whether or not you could guess what the whole puzzle looks like if you only have one piece.

That is similar to the dilemma companies–and nation-states–face when it comes to defending against sophisticated cyber attacks. One company may have one piece of the puzzle, and another company may see some suspicious activity that reveals another piece of the puzzle. But, unless the different parties get together and compare their pieces it’s very difficult to put the whole puzzle together to get the big picture view of what’s going on.

A blog post from Cisco analyzing the recent DarkSeoul attacks against assets in South Korea, explains, “There is a renewed push for data sharing and transparency in the industry, and incidents like this one highlight how important this sharing is to the entire community of defenders.”

Cisco stresses that data-sharing is a crucial element of an effective cyber defense.

Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD)–leaders of the House Permanent Select Committee on Intelligence–recently resubmitted the Cyber Intelligence Sharing and Protection Act (CISPA) for consideration. CISPA was shot down last year, but the dramatic increase in both volume and scope of sophisticated cyber attacks such as DarkSeoul illustrates the need for broader sharing of information between the national intelligence community, security vendors, and private corporations in general.

There is still significant backlash against CISPA. There are privacy and oversight concerns to overcome, but most have been addressed already through amendments. CISPA–or legislation much like it–is essential to facilitate the kind of data sharing necessary for putting all of the pieces of the puzzle together. Without it, everyone will just stare at their own piece of the puzzle and wonder what the rest of it looks like until it’s too late.

They say the best things in life are free. For Android tablet and smartphone users, Kaspersky is helping to make the axiom true with free security software.

Mobile malware has risen dramatically in recent years, and almost all of the malware detected and identified by security researchers is targeted at Android. Kaspersky is making Kaspersky Tablet Security (for Android tablets) and Kaspersky Mobile Security (for Android smartphones) available for free. If you have one of those grotesquely large, Samsung Galaxy Note Frankenstein “phablets” I’m not sure which version you’d use.

These security tools are not limited or watered-down in any way. They are full-featured, fully functional versions.

As a bonus, Kaspersky also added an alarm feature to both KTS (Kaspersky Tablet Security) and KMS (Kaspersky Mobile Security). If your device is lost or stolen, you can activate a siren on the device to help locate it. The feature is accessible through a Web portal, which includes other anti-theft features as well to allow you to track and locate the device, and remotely lock the device or wipe all data from it. You can also remotely activate the camera to snap a series of pictures to try and catch a glimpse of the thief.

There are Premium versions of both products available. The Premium version of KTS is $20 for a one-year license, and the Premium version of KMS is $15 for a one-year license. The Premium versions incude automatic and scheduled scans, automatic scanning and filtering of text messages, and connection to Kaspersky Lab’s cloud database of emerging threats.

US Treasury Secretary Jack Lew recently traveled to China–the first diplomatic contact between the United States and China in months as we’ve waited for the dust to settle on the transition of Chinese leadership. One of the top issues Lew addressed with the powers that be in Beijing is the concerning trend of cyber attacks against the United States emanating from China.

Following the meeting, Lew told reporters, “This is a very serious threat to our economic interests. There was no mistaking how seriously we take this issue.”

I don’t envy Lew. I assume there was some tension in the air. The implication and assumption by many in the United States is that the Chinese government and/or Chinese military is behind the rise in cyber attacks and cyber espionage against high-profile government, military, and private sector corporations in the United States. China denies involvement, and claims that it is also a target of similar attacks.are

Lew was in the position of having to craft a message–a diplomatic request for China to “help” the United States combat these attacks, while also subtly, but clearly indicating that we are fairly sure China is to blame, and that we are very serious about putting a stop to it. I imagine it was a somewhat thinly-veiled, passive aggressive sort of message.

Congressman Mike Rogers (R-MI), and congressman Dutch Ruppersberger (D-MD) recently re-submitted their CISPA (Cyber Intelligence Sharing and Protection Act) legislation which was shot down last year. The two believe that the rise in both scope and volume of cyber attacks warrants giving the bill another look. It still faces significant backlash from the usual suspects (EFF, ACLU, etc.), but there are a number of amendments to the legislation which address the major concerns over jurisdiction and privacy, and there is still time to introduce further amendments and negotiate a compromise to pass the bill and give the United States a more effective means of identifying and blocking sophisticated cyber espionage attacks.

21st century organisations are exposed to increasing levels of cyber threat as corporate boundaries are extended through the increased adoption of ecommerce platforms, the outsourcing of business processes to cloud-based providers, and employees’ use of personal devices and social networks in the workplace. As a result, the number of organisations reporting a security breach is growing all the time. In response a plethora of information security standards designed to mitigate risks have been introduced. These standards originate from multiple sources – internal governance teams, trading partners and regulatory bodies – as each takes steps to protect their interests. Even though these standards proffer similar practices and procedures, there is no common or unified approach frequently leaving organisations burdened with multiple, overlapping compliance standards. Furthermore, compliance involves many stakeholders: trading partners, regulatory bodies, external auditors, as well as an organisation’s own people such as the compliance, IT and executive teams. As such compliance cannot be viewed as a single internal process; it can be extremely complex, crossing businesses functions, and transcending corporate boundaries and processes, and needs to consider the different interests and objectives of each stakeholder.

A market with more challenges than answers

Even when it comes to an area driven by regulatory requirements – as Governance, Risk and Compliance (GRC) is – IT spend is kept under careful scrutiny. This creates a recurring problem for most of today’s leading enterprise IT GRC solutions. They are comprehensive in nature and require organisations to adapt internal processes to meet proscriptive software that demands best practice at every level. Their all-or-nothing quality makes it difficult to pilot solutions. Valuable resources are tied up managing multiple point solutions and projects inevitably suffer from lengthy implementation timeframes. And there is a direct correlation between implementation time and the potential for project failure. Another reason for failure is that the software licences are too complicated for what organisations need.

In the absence of automated GRC applications the only real alternative left to IT and compliance teams is to rely on the next best tools for the job – spreadsheets. Spreadsheets are regularly used for such risk assessment activities as asset registers, compliance audits, project planning, risk treatment, records management, 3rd party assurance, user awareness questionnaires, incident responses, gap analysis and management reporting. It is not uncommon to find 100’s if not 1000’s of spreadsheets in circulation between multiple internal and external stakeholders from internal auditors, HR and IT to external auditors, trading partners and suppliers. Process and workflow management, however, tends to be manual rather than automated leading to a scatter-gun approach that is inefficient, labour intensive and complicated. An over-dependence on spreadsheets makes the compliance process extremely time consuming, inefficient and prone to human error. Such inefficiencies have hidden costs and run the risk of delivering results that are not fit for purpose.

Simplifying compliance the SaaS way

SureCloud advocates a collaborative approach to compliance using a Software-as-a-Service model. This approach has key advantages. First, it is much simpler. Immediate compliance goals can be met with a short-term project for just a few thousand pounds rather than having to commit hundreds of thousands to doing everything over a much longer period. Second, starting small and evolving processes to suit specific solutions or use cases over time results in greater agility and considerably reduces the risk of IT GRC project failures. By adhering to four central pillars – agility, accountability, connectivity and scalability – it is possible to automate any IT GRC process. At the heart of the solution are a set of standard template forms – designed in collaboration with hundreds of partners – for all of the key standards that give users the ability to define any input according to fields, lists, formulae or any other type of system object. Single tasks can be built up easily into projects. A central library (with links to SharePoint) stores all documentation and connects to the compliance process. Customer data can either reside within SureCloud or stay on-premise and merely link to the solution. There is a powerful records management facility with granular permissions. Evidence and records can only be approved or removed with the appropriate authorisation allowing organisations to demonstrate their compliance with requisite rules and regulations. Additionally in-built workflows, reports and dashboards help users deliver management and operational information (or they can develop their own if they choose to). Internal and external groups are given access control and the status of their individual input is reflect on the dashboard giving the customer actionable intelligence about they meet compliance, where they do not and where suppliers are posing a risk.

Collaborative compliance in action

SureCloud is able to point to hundreds of financial, retail and central & local government organisations who are benefiting from its approach. One leading UK debt collection agency is typical. Their clients, comprising leading financial institutions, expect a demonstrable a level of compliance with standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Data Protection Act and ISO27001. The collaborative compliance approach has allowed this customer to consolidate multiple solutions into one platform and gain a clear picture of security status and demonstrable compliance with PCI-DSS. Plus

· Reduced TCO with multiple point solutions in a single platform

· Clear user interface – easy access to information

· High quality penetration testing services

· Highly responsive customer support – product and security related.

Conclusion

Information security compliance is designed to help, not hinder. It recognises the significant value of corporate information assets and the need to safeguard them, both for competitive advantage and to protect personal privacy. With a simpler, streamlined approach that enables collaborative working, every touch point in your information value chain can contribute to your information security programmes, ensuring that compliance is achieved, and maintained, in a cost effective manner. Collaborative compliance embraces multiple internal teams and systems, as well as external stakeholders, to bring together the fragmented compliance landscape and streamline IT GRC processes. With SaaS underpinning the delivery and commercial model, collaborative compliance is the way ahead for organisation seeking visibility and control of their information security programmes, at a price point that encourages trial and de-risks enterprise rollouts.

Most organisations today are seriously under-estimating how easy achieving demonstrable compliance can be.

SureCloud is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk.

This is a guest post by David Gibson, vice president of strategy, Varonis:

The present malaise which has hit UK High Street retailers such as Jessop’s, HMV and Blockbusters with others to follow is not just a symptom of the macro economic situation. Whether it was complacency, denial, or simply not being able to see the forest through the trees, by the time these retailers realised their business models were threatened it was too late. That digital cameras sales would fall as camera-equipped smart phones sales increased shouldn’t have taken anyone by surprise, but what can organisations do to get ahead of more subtle trends that might threaten their business?

For many years UK High Street retailers have had at their disposal information in their computer systems which retailers in other countries have used to gain massive competitive advantage. Hidden in the midst of vast amounts of computer data is metadata that could have helped the High Street shops build a strategy to keep ahead and even thrive in the online world.

We have entered an era where organisations have more data than ever that must be continuously managed and protected in order for it to remain safe and retain its value. To do so, organisations need continuous, up-to-date data about the data—to comprehensively manage data, you need metadata. Use and analysis of metadata is already more common than we realise; automated collection, storage, analysis, and presentation of metadata has become a necessity for survival in the new metadata era as the demise of HMV particularly shows.

How the seeds of HMV’s demise were sown is detailed in a recent article in The Guardian: Philip Beeching, HMVs marketing advisor pointed out to their board that the biggest threat to HMV’s business would come from: “Online retailers, downloadable music and supermarkets discounting loss leader product.” To his amazement, the HMV CEO reacted with anger: “I have never heard such rubbish,” he said, “I accept that supermarkets are a thorn in our side but not for the serious music, games or film buyer and as for the other two, I don’t ever see them being a real threat, downloadable music is just a fad and people will always want the atmosphere and experience of a music store rather than online shopping.”

Supermarkets and Amazon wiped out the healthy margins HMV enjoyed and iTunes provided a brand new way to obtain and enjoy music without buying whole CDs or albums. HMV, Tower Records, Blockbuster and others bit the dust. So how did they lose out?

Companies are sometimes brought down purely by external disruptions like technological change or consumer tastes. However, they are more frequently brought down by their own inability to detect the currents of change and accept the forces of evolution. If HMV had woken up, it would have led the migration to online retailing. But it had no one to analyse the hidden secrets in its own data vaults. Maybe if it had it would have listened to them!

Let’s take bookselling as an example of how powerful metadata can be. For booksellers, basic retail metadata is a collection of attributes—ISBN, title, author, copyright year, price, subject category, etc. In the book What We Talk About When We Talk About Metadata, Laura Dawson says: “The concept of digital metadata for the commercial book world originated in the 1970s and early 1980s, when bar coding on books was introduced and electronic transactions between retailers and publishers began.”

Dawson believes that even prior to e-commerce, retailers such as Barnes & Noble and Borders rose to prominence because they made great use of computer transactions and scanners, realizing tremendous speed and logistics savings through their computer systems. Metadata—as bare-bones as it was—was a crucial element in the success of the superstore. A database of inventory (consisting of ISBN, title, author, price, status, quantity on hand, quantity on order, and where in the store the book was supposed to be shelved) allowed store personnel to know stock levels and locations of books.

Metadata changed again with the internet and the adoption of metadata analytics. Until the early 1990s, computer systems in both libraries and bookstores were very basic systems that could track inventory and facilitate orders, but little more. Launched in 1995, Amazon eventually took full advantage of the internet and metadata analytics. In fact, when the meteor of Amazon’s online bookstore hit the publishing industry, it was clear that the world of metadata was never going to be the same.

Because of Amazon, consumers were looking at metadata analytics as Amazon recommended other items that they might be interested in based on their prior purchases, and the purchase patterns of other similar users. Although we have taken this example from the book trade, it can be replicated on any High Street retailer in the UK in any vertical retail sector – those who did not use the data available in their computer systems did not gain the competitive advantage they needed. Those who saw the value of their own hidden gems of metadata harvested rich rewards.

Of course, this data can be just as damaging for the organisation in the wrong hands. The key is to not only mine this rich seam of information but also safeguard it by controlling who has access to it and curtailing access to those who don’t need it, monitoring its use, and flagging potential abuse.

This is a guest post by Mark Bower, Vice President, Product Management at Voltage:

Once mostly prohibited by IT, smartphones and tablets—such as Android-based phones and Apple iPads—are now being used by hundreds of millions of employees worldwide to access, transmit and store corporate information in today’s 24×7 business environment. This “extended enterprise” introduces new challenges and complexities for IT. Not surprisingly, security has emerged as the No. 1 challenge posed by the BYOD (“bring your own device”) trend.[1] IT organisations are concerned with device loss, data leakage and unauthorised access to corporate resources, as well as the growing use of “guest access” to corporate networks.

In response to these perceived risks, organisations have begun implementing a range of data security measures. Traditional approaches involve perimeter-based security controls such as firewalls and smart screen filters. But no amount of perimeter defense can protect data accessed by and subsequently stored on and transmitted by smartphones and tablets, especially outside of enterprise control.

Five Things To Know About Mobile Data Security

There are the three mission-critical areas in which mobile data must be protected without disrupting user productivity:

· To protect e-mail communication that contains sensitive information and is subject to regulatory compliance.

· To protect sensitive business data and files.

· To protect transaction data captured by new mobile payment methods.

Even as security threats loom, informed organisations have an advantage. These five tips can make or break mobile data security efforts:

1. It’s all about securing data.

In an ideal world, sensitive data travels in welldefined paths from data repositories to a wellunderstood set of applications. In the real world, however, data travels everywhere, anytime, with constantly shifting applications running on an evolving set of platforms. The data lifecycle is often complex, extending beyond the container and the application—even outside the enterprise into offsite backup services, cloud analytic systems and outsourced service providers. Not to mention the onslaught of user-owned devices making their way into the fold. So although armoring applications and devices is one dimension in establishing a defensive posture, it isn’t the entire answer—nor is the installation of security solutions from a wide range of vendors. There will be security gaps that eventually impede enterprise risk management and user productivity. Rather, data security is a multi-pronged risk challenge that requires a datacentric approach across all dimensions.

2. Assume you’ve been breached.

That’s the unsettling opinion of Shawn Henry, the U.S. Federal Bureau of Investigation’s top cybersecurity officer. Henry, formerly Executive Assistant Director at the FBI, told The Wall Street Journal that current approaches to fending off hackers are “unsustainable.”[2] FBI agents increasingly come across data stolen from companies whose executives had no idea their systems had been accessed. “We have found their data in the middle of other investigations,” he told the Journal. “They’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.” The challenge is only compounded by the proliferation of smartphones and tablets. Henry said companies need to make major changes to avoid further damage to national security and the economy.

Mobile devices are endpoints that require the same attention that is given to PCs and laptops. Many of the same processes and policies that are leveraged for PCs and laptops are applicable to mobile platforms. Still, mobile devices are built for connectivity; the personal nature of these devices, combined with the inability to regulate or monitor user activity, means that the focus of protection must change. Simply adding another “point solution” isn’t the answer. Enterprises need to make mobile data security part of their risk management strategy—consistent with desktop and laptop security—without compromising the user experience.

4. You don’t have to forfeit usability for security.

The primary purpose of smart device adoption is to improve productivity for a geographically distributed and highly mobile workforce. Security mustn’t be a barrier to productivity. Still, current mobile security solutions focus on creating boundaries within the devices on which data can be stored and accessed. When encryption is used, it’s typically non-user-friendly, non-application-specific and lacks granular policy controls. Additionally, it usually relies on a traditional key management approach that requires massive investment to scale in today’s environment. Security for mobile data must be as transparent as possible without losing effectiveness, and it must not intrude on familiar user experiences—yet it has to provide IT with the control it needs in order to ensure security at the data level.

5. Compliance doesn’t equal security.

Compliance relevant to IT systems is now being extended to mobile devices—and for very sound data risk reasons. Companies must understand how these same data privacy, regulatory compliance and risk management practices should be applied to the mobile and cloud platforms. But being certified compliant or using solutions that help achieve compliance doesn’t always translate into effective data security. For example, a desktop computer stolen from a California health care organisation was password-protected but unencrypted. The theft potentially exposed the personal information of nearly four million patients.[3]

Mobile Security In The Real World

Over the years, companies have taken numerous approaches to mobile security. These have ranged from banning such devices altogether from the corporate network to remotely “wiping” corporate data in the event of the loss or theft of a device, to adopting a “container” approach to protect mobile apps and data. None of these approaches is satisfactory. In a data-centric approach to mobile security, data (both structured and unstructured) is encrypted as soon as it’s acquired. It remains encrypted as it is used, stored or moved across data centers, public and private clouds and devices, to be decrypted only by the intended party. The goal is to devalue or “kill” data, so that even in the event of a breach, the encrypted data will have no value to cybercriminals. And data is protected without disruption of user productivity.

Traditional security approaches lock down the infrastructure, but that’s not the target for today’s cybercriminals. They want sensitive data, which is valuable; easily monetised; and increasingly on the move, into and out of IT infrastructures. And they fully understand where and when to find “data in the clear,” when it’s most vulnerable, and they’re willing to wait.

This is a guest post by Dwayne Melancon, Chief Technical Officer or Tripwire:

The time has come to examine how System State Intelligence (SSI) relates to the “kill chain” – also known as the “intrusion kill chain,” or the “cyber kill chain”. Why? Because in most enterprises there is a bias toward the network-centric and event-centric elements of intrusion detection, and there needs to be better integration of the state-centric security elements in order to ultimately improve security effectiveness.

The Lockheed paper defines a kill chain as “the structure of the intrusion, and the corresponding model [which] guides analysis to inform actionable security intelligence.” In other words, rather than trying to look at network security events in isolation as a separate population of data, they should be integrated by grouping them according to the attack vectors.

The intrusion kill chain can be thought of as “supply chain management” for cyber attacks, and the endgame is to produce an objective model for dealing with attacks as early in the process chain as possible by aligning responses to the stage and severity level of an attack.

A core assumption in any kill chain analysis is that an attacker has to progress through each stage of the chain before they achieve their objective, and it takes just one successful mitigation effort to disrupt this progress and thwart the attacker.

System State Intelligence (SSI)

System State Intelligence (SSI) is an approach to security that is designed to identify the leading indicators of any security compromise, to reduce the number of false positives, and in the end increase the accuracy of network incident detection.

Effective SSI requires the presence of several key capabilities. First of all, it must provide full awareness of the state of your network systems, including how they are configured and whether that configuration corresponds to policies. This level of awareness anchors system states to a recognizable baseline – a “known and trusted state.”

Secondly, SSI must include continuous monitoring of those systems for any changes or deviations from the baseline or the configuration policies, and must use this awareness to detect any unwarranted events in order to foster security-based context and prioritizations. SSI lets you continuously know what the state of your systems was, what it should be, and how it’s changing in real time.

How Does System State Intelligence Strengthen the Intrusion Kill Chain?

SSI contributes to the intrusion kill chain in most of the phases of an attack. The following table provides some examples:

This is not a comprehensive list, but should provide some food for thought about how SSI is involved in the intrusion kill chain.

SSI Can Improve the Effectiveness of Other Security Tools and Processes

In addition to the examples in the table above, SSI can also increase the timeliness and accuracy of security incident detection efforts, as well as increase the overall effectiveness of other network security tools. For example, it can reduce false positives because suspicious changes to the system state are really good initial indications of attack, and SSI alerts are typically free of false positives.

SSI can also find evidence of a compromise faster, because once SSI has identified a suspicious change to a group of systems that knowledge enables a more targeted investigation to ensue.

If you typically perform full-packet captures of data on your network, you end up with an overwhelming amount of data, which can be an obstacle when you are conducting an incident investigation. With SSI, you can begin the investigation by looking for something specific, such as the traffic that interacted with specific (compromised) systems at a certain time and which are associated with specific user accounts.

The Bottom Line

In short, using SSI to determine your starting points enables a more efficient, focused investigation, which enhances the value of your full-packet capture systems and increases the effectiveness of your Security staff. We are just barely scratching the surface here, but hopefully you can see that System State Intelligence is a core capability that will serve to strengthen your intrusion kill chain.

Tripwire is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk